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I. INTRODUCTION 



Cryptography is the art of providing secure communication over insecure (i.e., subject 
to eavesdropping) communication channels. The security of a conventional cryptosystem 
often lies on a relatively short secret value known as the key that has to be agreed on by the 
two legitimate users before secure communication can be started. For this reason, secure 
key distribution is a crucial issue in cryptography. Unfortunately, classical cryptography 
provides no tools to guarantee the security of the key distribution because classical signals 
are vulnerable to passive interception: A passive wiretapper can simply make copies (clones) 
of the carrier of information and read off from those copies the value of the key. Since the 
original carrier of information can be resent to the legitimate user without alteration, there 
is no way for the two users to check whether the carrier has been intercepted. 

In quantum mechanics, any measurement that does not disturb a complete set of non- 
orthogonal states also fails to yield any information distinguishing them 0. (See Appendix 
for a proof.) In particular, it is impossible for the eavesdropper to clone non-orthogonal 
states. Therefore, coding based on non-orthogonal states can be used to detect any eaves- 
dropping attempt ||. The feasibility of secure quantum key distribution over long distance 
by optical fiber has been recently demonstrated: A prototype system at BT laboratories 
is capable of key transfer over 10 km in optical fiber at date rates of 20 kbits -1 0. The 
investigation on the foundations of quantum cryptography is thus timely. 

Noise is inevitable in any real communication channel. It is, therefore, crucial to demon- 
strate the security of quantum cryptography when the communication channel is noisy. 
Various eavesdropping strategies have been investigated in the literature ||. In order to 
acquire any appreciable amount of information about the transmitted signals, they are all 
shown to introduce a substantial change in the error rate. Therefore, quantum cryptog- 
raphy is generally conjectured to be secure. Unfortunately, it has not yet been ruled out 
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that still more sophisticated use of quantum physics might defeat quantum cryptography^. 
This is hardly a comforting situation: In the long history of classical cryptography, there 
were numerous instances of unexpected failures of cryptographic schemes (e.g., the knapsack 
scheme) that were once believed to be unbreakable. Such failures often led to dramatic and 
even disastrous consequences. To ensure that quantum cryptography does not follow the 
same trail, it is, therefore, essential for us to establish rigorously its absolute security. The 
first goal of this paper is to give such a proof. 

The most general eavesdropping strategy available to an eavesdropper, traditionally 
called Eve, is for her to coherently manipulate all the transmitted particles || by coupling 
them as a single entity with a probe (an ancilla). Eve may subsequently perform measure- 
ments on the ancilla to acquire information about the transmission. In Section 0, we prove 
the security of quantum cryptography in a noisy channel by showing that it is unbreakable 
even by coherent manipulations performed by the eavesdropper. 

After establishing the security of quantum cryptography, we come to the next question: 
how much information can be securely transmitted through a noisy quantum communication 
channel? Both eavesdropping and the intrinsic noise of the system introduce errors (including 
decoherence) in the channel and it is often difficult to distinguish between the two sources. 
Therefore, a conservative user may assume that all the errors are due to the wiretapping. 
Since wiretapping in a quantum channel necessarily leads to errors in the transmission, the 
legitimate users can put an upper bound to the extent of wiretapping by determining the 
error rate of the channel. Standard techniques such as error-correcting codes and privacy 
amplification can then be applied to the partly secret raw signals to distill a shorter but 
absolutely secure sequence of bits which can then be used as the key for subsequent classical 

1 Deutsch et al. || have suggested a purification scheme in which the two legitimate users perform 
coherent manipulations on the transmitted particles. Such a scheme is asymptotically uncondi- 
tionally safe against any attack. Unfortunately, its efficiency is very limited. 
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communication. An insecure but unjammable (i.e., subject to wiretapping but not alteration 
of messages) classical channel can be used for the public discussion between the two users 
during the distillation process. 

The maximal number of secure bits that can be distilled from each raw signal transmitted 
through a quantum channel is clearly a function of the error rate. It is defined as the 
secrecy capacity || of the quantum channel. The second goal of this paper is to find out 
the properties of this function. 

However, we face two problems in our investigation. The first difficulty is that, unlike 
classical information theory |7j which is a mature field, a quantum theory of information 
is still being developed. For example, despite much past effort, a most basic problem in 
quantum information theory — the classical information-carrying capacity of non-orthogonal 
quantum signals — is still generally unsolved ||. Our inability to answer this basic question 
makes the issue of secrecy capacity even more intractable. The second problem is the fact 
that, even within the context of classical information theory, no simple expression has been 
found for the secrecy capacity in general ||. Only lower and upper bounds have been 
obtained. Going to the quantum regime will almost certainly not make things any easier. 
Despite these two difficulties, we shall see in this paper that much about the secrecy capacity 
can still be learned. 

The organization of this paper is as follows. In Section |J we introduce a simple spherical 
symmetric EPR-based cryptographic scheme as a toy model and establish its security against 
eavesdropping even in the presence of noise. By deriving a lower bound to its security 
capacity, we demonstrate that as the error rate tends to zero, the performance of such a 
noisy quantum channel approaches that of a noiseless one. In Section p| , we generalize our 
toy model results to more realistic cryptographic schemes. First, the assumption of spherical 
symmetry can be relaxed and any choice of two or more non-orthogonal measurement bases 
suffices to guarantee the security of an EPR-based scheme (provided that the error rate 
is sufficiently small). Second, we show that polarization based cryptographic schemes are 
conceptually equivalent to EPR-based schemes. Hence, the proof of the security of quantum 
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cryptography and the discussion about secrecy capacity for our toy model trivially carry 
over to polarization based schemes. One interesting implication of our results is that one 
can essentially double the efficiency of a most well known cryptographic scheme proposed by 
Bennett and Brassard simply by assigning vastly different probabilities to the two conjugate 
bases. 

II. COHERENT MEASUREMENTS 

In this Section, we shall establish the security of the following cryptographic scheme 
against any attack even in the presence of noise and investigate its secrecy capacity. Consider 
two legitimate users, traditionally called Alice and Bob who make use of N EPR pairs to 
transmit secret messages. (Here N is supposed to be large.) We assume that there is 
also another public, unjammable, classical communication channel between them. That 
is, anyone including the eavesdropper can listen to the signals without worrying about 
being detected. However, alterations of the signals are forbidden. The procedure goes as 
follows: Alice prepares N EPR pairs and sends one member of each pair to Bob, keeping the 
other member. After receiving all N transmitted particles, Bob publicly acknowledges his 
reception. For each particle that she has kept, Alice chooses a random axis independently 
to measure its spin. Afterwards, she publicly announces the axes that she has chosen for 
her measurements, but not the results. Bob then performs a measurement on the spin 
of the other member of the pair along the axis chosen by Alice. Ideally, the combined 
state of each pair should be a singlet. Thus, the measurement results of Alice and Bob 
should be antiparallel. Of course, errors are inevitable due to the presence of noise in the 
communication channel. Nonetheless, most of the spin measurements for the two members 
of the various pairs should remain antiparallel. (Of course, errors may also occur due to the 
measurement process itself. For example, a misalignment of the measurement bases used 
by Alice and Bob will lead to an increased error rate. However, in this paper we will not 
consider this type of errors.) 
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A more serious problem is the following: it is conceivable that some of the errors are 
due to an eavesdropping attempt by an eavesdropper, traditionally called Eve. To estimate 
the extent of eavesdropping, Alice and Bob may choose randomly a subset of m pairs and 
declare their measurement results in public. By doing so, they can compute the error rate 
for the m test pairs. If the error rate is found to be unreasonably large, they assume that 
eavesdropping has occurred. Thus, they should reject the whole run and go through the 
procedure again. Otherwise, they assume that no successful eavesdropping attempt has 
been made. Now they share the remaining N — m bits which may well be corrupted by the 
noise and Eve's wiretapping attempt. So, the hope is that, at sufficiently small error rates, 
Alice and Bob can use well-known schemes of error correction and privacy amplification to 
distill out a shorter key of absolute security against Eve's attack. 

The question that we would like to answer is the following: For a noisy quantum commu- 
nication channel, will Eve be able to obtain a large amount of the information shared between 
Alice and Bob without exposing her eavesdropping attempt by coherently interacting the 
N transmitted particles with an ancilla? This is in fact the most general eavesdropping 
strategy. 

Before going into the question of coherent manipulation, let us consider a single EPR pair. 
The Hilbert space of an EPR pair is spanned by the singlet |t/>o) and the three other states 
| Vi ) s 1^2), and I ^3} . Only the singlet state is guaranteed to give the desirable antiparallel 
result for the measurement along any axis chosen by Alice and Bob. For a noisy channel, 
the output will generally be a mixed state which may be described by a density matrix M . 
One can define the fidelity as F = (i/; \M\i/;o) [[|. It is the probability of the mixed state 
for passing a test for being a singlet state. (Thus, < F < 1). Being so, it is invariant 
under simultaneous rotations of the two particles. Given an ensemble of identical pairs each 
described by M, one can estimate its fidelity by the following process. For each pair, Alice 
picks a random axis to measure the spin of a member of the pair. Bob performs a similar 
measurement along the same axis on the other member. Notice that for a given mixed 
state of an EPR pair described by M and a random axis of measurement chosen by Alice, 
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the probability that Alice and Bob's measurements give antiparallel results is (1 + 2F)/3. 
The physical reason is simple. If the two members of the i-th pair are measured along the 
z-axis and found to be antiparallel, a state in the subspace spanned by the singlet state and 
(|10) z + |01) z )/a/2 is consistent with this result but those in orthogonal complement of this 
subspace are not. If they are measured along the x-axis instead, an antiparallel result will 
only be consistent with a state in the subspace spanned by the singlet and (110)^ + 101)^)/ -y/2 
but not with a state in its orthogonal complement. As we are considering a random axis, 
there is spherical symmetry. Since only one of the three non-singlet states will give an 
antiparallel result, we have P(antiparallel) = F + [(1 — F)/3] = (1 + 2F)/3. Intuitively, 
this means that when an EPR pair is in a non-singlet state, there is a probability of 2/3 
of failing to give an antiparallel result. As discussed before, Alice and Bob estimate the 
error rate of the channel by publicly announcing the results of their measurements for m 
pairs. For a communication channel with a small error rate, it would therefore be unwise for 
Eve to cheat by substituting non-singlet EPR pairs into the communication channel. Any 
amount of substitution with the number of non-singlets higher than 3/2 of the original error 
rate of the channel is highly likely to lead to an abnormally high error rate in the m test 
bits and consequently detection by Alice and Bob. The curious fact is that, in what follows 
this simple observation will play a crucial role in our argument for the case of coherent 
manipulation. 



A. Security of our EPR Based Scheme 

To prove the security of the above EPR based scheme, first note that the most favorable 
scenario for an eavesdropper Eve would be to allow her to prepare the states for the N EPR 
pairs. Any (more realistic) situation will involve environmental noises and can be regarded 
as a special case in which Eve does not utilize the full control she has on the EPR states. 
The most general state that Eve can prepare is of the form 

E a u* 2 ...^ 1^1)1^2) • • • lVOI-ftii»2...»jv)> (1) 
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where |-R« 1 i 2 ...i JV ) is the state of the ancilla. I-Ri^...^) are normalized but need not be or- 
thogonal to one another. 

Suppose Eve is eavesdropping an ideal channel. Alice and Bob may draw m pairs ran- 
domly out of the N transmitted pairs and publicly compare their measurement results. They 
will regard the transmission of N particles as untampered only if all the m drawn pairs show 
antiparallel results in their measurements. The only way for Eve to guarantee this is to have 
all the N pairs in the singlet state. Therefore, Eve must set all di 1 i 2 ...i N to be zero except 
for one state (the tensor product of singlets). Thus, she will not be able to obtain any 
information about an ideal channel. 

What about a noisy channel? Suppose, based on previous communication experience, 
Alice and Bob know that the actual channel error rate in the absence of eavesdropping is e. 
(Except for Subsection [II [T3| , we will only be interested in the regime e C 1 in this paper.) 
They again draw m pairs randomly from the N transmitted pairs. We assume m <C N but m 
is still large enough for an accurate estimation of the error rate. In the limit N — > oo, we let 
m — > oo but m/N — > 0. Alice and Bob may agree that the channel error rate is acceptable 
if and only if the number of errors found is in the region say [(e — ce 2 )m, (e + ce 2 )m] where 
c = 0(l). 

The key observation is that most basis vectors in Eq. ([!]) are highly unlikely to give an 
error rate in this region. Even if we are generous enough to extend the acceptable error 
range to [0, (e + ce 2 )m], our conclusion does not change. Consider a vector of the form 
1^1)1^2) ' ' ' IV'ijv) where Na of the i/s (for j = 1,2, • • ■ N) are nonzero (i.e., non-singlet). 
Since the measurement axes are chosen randomly for the m test samples, such a state on 
average gives a parallel (i.e., incorrect) result for 2ma/3 pairs which is much larger than the 
maximal tolerable number (e + ce 2 )m for say a > 2e > e + ce 2 . Since we assume e < 1, 
most of the basis vectors in Eq. (|1|) contain far more than 2Ne non-singlet states in a tensor 
product decomposition with respect to each particle and tend to give abnormally high error 
rates. Therefore, inspired by Shannon [ ID| , we divide up the Hilbert space of the N pairs 



into a 'typical' subspace and its orthogonal complement, an 'atypical' subspace. A typical 
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subspace is one whose states have exponentially small probabilities to give an acceptable 
error rate |7J. A vector in an atypical subspace may fare better. An example of a typical 
subspace A may be spanned by vectors of the form IVOIV^) • • • \ipi N ) where the number 
of non-singlet i/s (i.e., ij 7^ 0) (here, j = 1,2, •■•A) are larger than or equal to 2Ne. 
Its orthogonal complement is the atypical subspace. It is spanned by vectors of the form 
iV'ii) IVO • • • IV^jv) where the number of i/s (j = 1, 2, • • • N) that are non-singlet (i.e., ij 7^ 0) 
are less than 2Ne. Notice that, given a state, the number of i/s that are non-zero has an 
invariant meaning. We shall only consider simultaneous rotations of the two particles in 
each pair. Under arbitrary and independent rotations of all pairs, such a state transforms 
into a linear superposition of states with the same number of non-zero ij's. 

Here comes another important observation: the atypical subspace has a small dimension 
(as compared to 2^, the dimension which gives the N classical bit of information shared 
between Alice and Bob). To be more precise, one can give the following generous bound to 
the dimension of the atypical subspace 
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where k is a positive constant, /1 a small number of order log N/N, and H(x) 
(1 — x) log 2 (l — x)] is the entropy function. Note that the inequality 
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and the concavity of H(x) have been used in the third and the fourth lines of Eq. (Q) respec- 
tively. For our purposes, Eq. (^) is good enough because 2~ Nktlog2t is clearly exponentially 



smaller than 2 , the dimension that gives N bits of information. Nonetheless, we remark 
on passing that a much more refined bound could be found. 
Suppose Eve prepare the state 

^(typical) \Ri) + ^atypical,,) \Rj) (4) 
* j 

for the combined system of 2N particles and ancilla. Alice and Bob will only accept a run 
of N pairs if m randomly chosen samples give a reasonable error rate. If we average over all 
the random axes, the probability of passing such a test 

P(passing) < ^ |a;| 2 exp (-/(m)) + ^ \bj\ 2 , (5) 

where f(m) the minimal exponential suppression factor for vectors in the typical subspace 
to pass such a test J7|. Notice that f(m) — > oo as m — > oo. Thus, the contribution from the 
typical subspace is bounded above by exp (— /(m)) which goes to as m — > oo. 

B. Eve's Dilemma 

Now the dilemma that Eve faces is clear. In order to have even just an exponentially small 
probability exp (— f(m)/2) of passing the sample testing, the contribution from the atypical 
subspace must exponentially dominate that from the typical subspace. Without much loss 
of generality, one can assume that the whole typical space simply drops out whenever the 
testing of the m samples is passed. Therefore, effectively, the dimension of the Hilbert space 
is reduced to that of the atypical space. But the atypical subspace has a small number of 
dimension and is incapable of giving Eve much information. 

In case the above discussion is still not transparent, in this paragraph, we show how this 
selection effect comes about in more detail. Let us specify the measurement axes for the 
m test samples. An outcome is the results (up or down) of the 2m measurements made by 
Alice and Bob. Suppose the initial state of the combined ancilla-particles system is given by 
| wo). According to the conventional interpretation of quantum mechanics, if a measurement 
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gives a outcome j (a state \vj) for the m test pairs), the state of the system will be projected 
onto \j) = (\vj)(vj\ <8> 2-other) \ u o) ■ where l ther is the identity operator for the other degrees 
of freedom (i.e., the N — m remaining pairs and the ancilla). The probability pj of this 
outcome j occuring is given by J2i \(( v j\( r i\) \ u o)\ 2 where (r,| denotes the state of the other 
degrees of freedom and the sum is over a complete basis. Since Alice and Bob will reject 
all measurement results with abnormally high error rates, most outcomes j will be rejected. 
Under the assumption that the m samples pass the test, the state of the combined system 
after the test will be described by a density matrix 

p c = EVEV/)Ij>01, (6) 

j i 

where the sums are over those outcomes that pass the test. The crucial insight is, however, 
that all basis vectors are not created equal. As noted before, if we consider a tensor product 
state of n non-singlets and N — n singlets, under arbitrary and independent rotations of all 
pairs, it will transform into a linear superposition of states that are also made of n non- 
singlets and N — n singlets. (Here, particles in the same pair are only allowed to be rotated 
by the same amount because we are only interested in measurements that are done along 
the same axis on the two members of a pair.) The likelihood of a state in passing the test 
depends on n. Vectors in the typical space have a large n and are exponentially unlikely (as 
a function of m) to pass the test while those in atypical space may fare better. Therefore, 
any realistic chance of passing the test is due to the atypical space (which consists of vectors 
of small n). This selection effect effectively eliminates the whole typical space from our 
consideration. 

Moreover, the atypical space has a small dimension 2 _Arfc<:log<E as given by Eq. (0). An 
upper bound on the amount of information that Eve can acquire by measuring the ancilla 



is given by the Holevo's theorem [11]: 



I e Z x = S(p R ) = -Trp R \ogp R , (7) 

where 
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Pr = Tr particles p c = Tr paxtic i eB ^2(pj/Y^Pi)\j)(j\ 

j i 



(8) 



is the reduced density matrix for the ancilla given that the m samples pass the test. We 
obtain an upper bound 



where 9 is a small correction term coming form the typical space. Asymptotically, 9 can be 
made as small as one is pleased by taking m — > oo. 

Eve may well have some a priori information about the measurements. The point is that 
the probability of getting an "up" in Alice's (or Bob's) measurement may well depend on 
the orientation of the axis chosen. The probability that the spin measurements by Alice 
and Bob are antiparallel can also have such an orientation dependence. Thus, the mutual 
information shared by Alice and Bob may actually be smaller than N bits. Nevertheless, 
any correction term must be of the order — iVeloge. For sufficiently small error rate e, the 
secrecy capacity C s of the channel (per EPR pair) therefore satisfies 



where k' is some constant. Notice that as the fidelity F — > 1, e — > and C s — > 1. Therefore, 
an arbitrarily small error rate implies a secrecy capacity arbitrarily close to the ideal channel 
capacity (which is one bit per EPR pair). Notice that Eve can still mess up the results of say 
O(logiV) pairs without worrying about being detected because the portion of pairs tested 
m/N —>■ 0. However, this has no effect on the secrecy capacity. What we have shown is that 
any attempt to obtain O(N) bits of information will be almost surely detected. 

What is the principle underlying the security of an EPR-based cryptographic scheme? 
Ekert ]I2] suggested that it comes Bell's theorem. However, Bennett, Brassard and Mermin 
|]J later proved the security of EPR-based schemes without invoking the Bell's theorem. 
Nevertheless, both works only addressed noiseless channels. Here, we would like to propose 
an alternative viewpoint which remains useful even for noisy channels. From an information- 
theoretic point of view, the security of an EPR-based quantum cryptographic scheme can 



IZL<N[-ke]oge + 0] 



(9) 



C s > [l-A/eloge], 



(10) 
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be traced back to the observation that in quantum physics, knowing completely the state of 
a composite system does not guarantee complete knowledge of the states of the individual 
constituents because of the presence of entanglement entropy. For instance, the entropy of 
each member of a perfect EPR pair is non-zero even though the total entropy of the pair is 
zero. Consequently, two observers are able to use an EPR pair to transmit a random but 
secret bit of classical information. Heuristically, in the presence of noise, we expect that 
transmission of secret information is still possible as long as the "entanglement entropy" 
remains larger than the entropy of the composite system. 

III. GENERALIZATIONS 

For simplicity, we have discussed only the case in which Alice chooses the bases for her 
measurement randomly. Some generalizations of the above result are possible. A moment 
of thought will convince the reader that a similar proof can be formulated to the case when 
say only two non-orthogonal bases are used. 

Let us consider another modification of the procedure. What if Alice performs the 
measurement on the particles in her share before sending Bob the other member of the EPR 
pair? Since the operators Alice uses in the measuring process only act on the particles in 
her share, they must commute with any operators (which may be used by Eve and Bob) 
that act on the particles in Bob's control. It is, thus, immaterial^ whether Alice performs 
the measurement first and sends out the rest second or the other way round provided Alice 
announces her basis only after Bob's public acknowledgment of his reception of all N particles 
in his share. Since all particles are already in Bob's hand, it is too late for Eve to do anything. 
Notice that if Alice announces her basis too early (say she announces her basis each time Bob 
acknowledges his reception of one particle), this argument does not preclude an intelligent 



incidentally, a related idea is used in the context of quantum computing in a recent preprint by 
Griffiths and Niu ||. 
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eavesdropper from obtaining a substantial amount of information about Alice and Bob's 
measurement results. 

A. Polarization Based Schemes 

Remarkably, the above simple observation — that it is immaterial whether Alice measures 
the spins first and sends out the other particles second or vice versa — has deep consequences. 
So far our discussion has been concentrated on EPR based cryptographic schemes. However, 
another class of schemes that are based on the polarization of photons has been discussed in 
the literature. For instance, in 1984 Bennett and Brassard |14]] proposed a scheme (BB84) 
in which the key distribution between Alice and Bob is done by sending photons over optical 
fiber. To detect eavesdropping, Alice chooses randomly with equal probability between the 
rectilinear basis (i.e., horizontal and vertical) and the diagonal basis (45° and 135°). A 
horizontally polarized photon can represent a and vertical a 1. Similarly, a 45° polarized 
photon can represent a and 135° a 1. O's and l's are chosen with equal probability. Alice 
then transmits a photon in the basis of her choice. Similarly, Bob performs a measurement 
along the rectilinear basis and the diagonal basis with equal probability. Afterwards, both 
Alice and Bob publicly announce the bases that they have chosen, but not the results of 
their measurements. Their bases will therefore agree with each other only half of the time. 
As in the case of EPR based schemes, they can then choose a subset of those measurements 
that are done in the same bases and compare the results in public. From the error rate of 
the m test samples, they can estimate the error rate for the whole run and hence the degree 
of eavesdropping. They can then decide whether to accept the run or to reject the run and 
do it again. 

As argued by Bennett, Brassard and Mermin [I], the two classes of schemes (EPR based 
and polarization based) are conceptually equivalent. The point is that Alice could have 
prepared each photon by producing an EPR pair of photons and measuring one member 
along a random axes (rectilinear or diagonal), letting the other particle, now in a known 
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random one of the four states, pass to Bob. We remark that this argument remains valid 
even for a noisy channel. 

There is still, however, one minor difference. So far we have assumed that, after the 
transmission of the N EPR pairs, Alice informs Bob of her basis of measurement for her 
particle in each pair and Bob is supposed to measure the spin of the corresponding partner 
along the same basis. It is of course experimentally difficult for Bob to store up a large 
number of photons to wait for Alice's announcement of her bases. Allowing Alice and Bob 
to choose between the two bases (rectilinear and diagonal) independently as in the BB84 
scheme is definitely more realistic. Is this going to affect our conclusions? 

The answer is no. Recall that all we need in our proof is to use a small subset of the EPR 
pair to estimate the error rate when the axes Alice and Bob used do agree. Whether the 
axes for other measurements agree or not is irrelevant. Our proof of security of EPR based 
cryptography, therefore, automatically implies the security of polarization based schemes 
even if Alice and Bob choose their measurement axes independently. 

There are two alternative points of view regarding the underlying principles governing 
the security of quantum cryptography. The first and more well publicized point of view, 
which has been discussed in Section |, is that measurements performed on non-orthogonal 
states in quantum mechanics generally lead to disturbance. For a noiseless channel, it leads 
to the generalized "no-cloning" theorem (see the Appendix). In our opinion, the trade-off 
between information gain and disturbance by an eavesdropper in a noisy channel remains 
to be studied in more detail. The second point of view, which has been discussed in the last 
paragraph of Section ||, is that the security of quantum cryptography lies on the possibility 
in quantum mechanics of the "entanglement entropy" between two subsystems being larger 
than the entropy of the whole system. The equivalence between EPR and polarization based 
schemes suggests that these two alternative points of view are in fact equivalent. 
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B. Doubling Efficiency in BB84 



In the BB84 scheme, Alice and Bob choose their measurement axes from two conjugate 
bases (rectilinear and diagonal) independently and with equal probability. A drawback of 
such a scheme is the reduction of the ideal secrecy capacity to half of the optimal value (i.e., 
1/2 bit per pair vs 1 bit per pair because only half of time will the two independently chosen 
bases by Alice and Bob agree). However, we would like to remark that the restriction of equal 
probability in choosing the two bases is totally redundant. Conceptually, the probability of 
choosing the rectilinear basis can be made much larger than the probability for the diagonal 
basis. At small error rates, this will lead to a secrecy capacity which is almost double of the 
original BB84 scheme. 

More explicitly, given a noisy channel with error rate e<l. Suppose they choose the 
rectilinear and diagonal bases with probabilities 1 — u and u respectively (where w < 1). 
For the transmission of N photons, there are on average Nuj 2 photons for which both Alice 
and Bob measure along the diagonal basis. They can for example publicly compare their 
measurement results for those Nuo 2 photons. In addition, they also randomly choose Nlo 2 
photons from the set for which they both measure along the rectilinear axis. They can decide 
that the error rate is acceptable if and only if it is less than 2e. Now given any uj <C 1, there 
exists an N such that, for the transmission of N > N photons, any eavesdropping attempt 
to get more than 0(— Ne log e) bits of information about the state of the transmitted particles 
will almost surely be detected. Thus, this scheme with different probabilities for the two 
bases is clearly secure. Furthermore, it has the benefit that, in the limit uj — > 0, we obtain 
essentially double of the efficiency of the scheme proposed by Bennett and Brassard. It is 
of practical interest to investigate whether this observation will lead to the design of more 



efficient protocols for say quantum oblivious transfer and quantum bit commitment [15]. 
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C. Other Generalizations 



Of course, in practical applications, the quantum signals used in BB84 are low-intensity 
light pulses rather than ideal single photon pulses. In that case, we must consider the 
possibility of beamsplitting attack. We shall, however, pursue this problem no further in 
this paper. 

There are other protocols of polarization based cryptographic schemes. For instance, two 
rather than four non-orthogonal quantum states are used in a scheme proposed by Bennett 

. We believe that the techniques developed in this paper can be used to prove the security 
of this kind of schemes as well. 

D. Properties of Secrecy Capacity 

Let us return to the subject of secrecy capacity. So far, we have only derived a lower 
bound to the secrecy capacity of a quantum communication channel. Can we derive an upper 
bound? At first sight, the answer is a simple yes: One can just choose an eavesdropping 
strategy and compute the amount of information acquired through it. On second thought, 
it is not so simple. Given an eavesdropping strategy, Alice and Bob may counteract by 
changing their procedure. Instead of measuring the state of each carrier of quantum signal 
and perform classical error correction and privacy amplification as assumed before, they 
may manipulate the state of a number of the particles coherently ||. It is not entirely 
inconceivable that such quantum processing of signals might give the users more information 
than any classical methods. This subject deserves further investigations. 

Baring coherent manipulation by the users, one can show that the secrecy capacity is 
a convex function of the error rate. In other words, C s (ax + by) < aC s (x) + bC s (y) for all 
a, b < 1 such that a + b = 1. The idea is the following: given strategies S x and S y that 
correspond to the preparation of the ancilla-particles states \u x ) and \u y ) with error rates 
x and y respectively, Eve can construct the tensor product state \u x ) ® \u x ) ® • • • ® \u x ) ® 
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\u y ) (g> \u y ) (g) • • • <g) \u y ) (with arbitrary numbers of |w x )'s and |%)'s and permutations of 
the particles involved if desired) to give an error rate ax + by. If the legitimate users knew 
about the decomposition of the channel, the secrecy capacity they could achieve would be 
aC s (x) + bC s (y). Their ignorance certainly makes things worse. Hence, C s (ax + by) < 
aC s (x) + bC s (y). 

Another interesting question is the following: For the EPR based scheme discussed in 
section ||, what is the minimal value of e (call it e m i n ) such that C s {e) = 0? That is to 
say the channel is too noisy to be of any use. Clearly, C s (l/2) = (because P(parallel) = 
P(antiparallel) = 1/2) and thus e m i n < 1/2. The value of e m i n is an interesting open question. 

The EPR scheme introduced in Section |I| is designed to be spherical symmetric so that 
the problem can be characterized by just one parameter, namely the fidelity or the error 
rate. This is why the secrecy capacity is a function of one variable. In a more general 
setting, more than one parameters may be needed for the characterization of the noise 
level of a quantum communication channel. Consequently, the secrecy capacity will be a 
function of multiple variables. As far as the legitimate users are concerned, the output of a 
communication channel is related to the input by a superscattering matrix. The goal of the 
users is to choose their inputs so as to maximize the information of the output and minimize 
the information leakage to the environment at the same time. 

E. Conclusions 

We have proved that an EPR based quantum cryptographic scheme is secure against 
coherent measurements by eavesdroppers. Our proof relies on the law of large number. 
The dimension of the space of states that are consistent with a small rate is exponentially 
smaller than the dimension of the whole Hilbert space, Thus, by testing the error rate for 
a small subset of signals, one can effectively eliminate most dimensions. Consequently, an 
eavesdropper is unable to get much information. Moreover, we prove that a polarization 
based cryptographic scheme is conceptually equivalent to an EPR based scheme. Our proof 
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of the security of quantum cryptography therefore carries over to the former. The secrecy 
capacity of a quantum channel is also investigated. 

On a conceptual level, our work suggests that the two alternative points of view (namely 
(1) the "no-cloning" theorem for non-orthogonal quantum states and (2) that the entan- 
glement entropy between subsystems being larger than the entropy of the whole system) 
concerning the principles underlying the security of quantum cryptography are in fact equiv- 
alent. One practical implication of our results is that one can double the efficiency of the 
cryptographic scheme proposed by Bennett and Brassard |14| (BB84) simply by assign- 
ing vastly different probabilities to the two conjugate bases. Finally, we remark that the 
beamsplitting attack remains to be addressed in future investigations. 
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APPENDIX: GENERALIZED QUANTUM "NO-CLONING" THEOREM 

Suppose we are given a particle that can be in either one of the two non-orthogonal 
states, \ui) or \u 2 ) of a two-dimensional Hilbert space. Here, we prove that it is impossible 
to obtain information distinguishing between the two possibilities without perturbing its 
state. A simple proof goes as follows. An eavesdropper may generally couple an ancilla in 
the state to the particle and evolve the combined system. To avoid detection, the final 
state of the signal has to remain unchanged. Now suppose U {\ui)\^)) = \ui)\$i). Since U 
is unitary, 

( Ul \u 2 ) = (^\( Ul \u 2 )\^) = (Ui|u 2 )($l|$2>. (Al) 



19 



Since (ui\u 2 ) ^ 0, it follows that ($i|$ 2 ) = 1. Thus, |$i) = |$ 2 ) and no information can be 
obtained. 
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